Governance Risk and Compliance (GRC)
Rapid expansion of technology, growth of Internet for performing business transactions, complex nature of IT infrastructure, and increasing dependence on external parties pose serious governance challenges. Ever increasing exposure of organizations to new security threats and risks makes the role of business managers critical. On the other hand, data protection regulations are putting increasing pressure on an organization with stringent requirements, regulatory fines, specifying the terms for data processing, and demanding compliance reporting. Until recently, Governance, Risk and Compliance have been largely dealt in isolation by different departments and function. However, organizations have started realizing that these are closely knit elements of an organization’s ecosystem. Hence, a relatively new discipline of Governance, Risk and Compliance (GRC) has emerged, which essentially helps organizations to take an integrated and holistic approach towards effectively managing these three elements. The board of directors and executive management exercise a set of practices and responsibilities, with the goal of providing strategic directions to achieve organization’s objectives, ascertain that risks are managed appropriately and while doing so assuring that the organization’s resources are used responsibly. With this affirmation, the board and executive management also assure that the organization complies with the regulatory requirements in a transparent manner. Therefore, GRC is nothing but establishing the managerial intent to assure that the entities are transparently governed, specifying the culture for decision making, accountability and integrity and establishing clear direction for an organization to achieve the defined goals.
GRC also means directing, controlling and strongly influencing the entities to achieve stated expectations. It entails alignment of risk management with business strategy and ensures compliance at the same time. GRC relies on proactive due diligence and adoption of best practices for operations and management. It assures that the management decisions are implemented as intended, through effective controls, the performance is measured against predefined metrics and policies are enforced in true spirit.
DSCI SECURITY FRAMEWORK (DSF©) treats GRC as one of the important disciplines, which demands a focused attention to understand the complexity involved to make the strategy work on ground. This discipline guides us on how the higher management achieves the strategic objectives, provides assurance against the compliance requirements and helps obtain confidence that risks are diligently managed.
- Identify how the board of directors and executive management share the responsibility of security
- Identify how the board of directors and executive management establish security strategies and objectives and its articulation, Policies and procedures, security structure, defence mechanism, assurance function, compliance management, Performance management and establish and sustain security culture
- Identify the elements deployed for achieving the security strategy and business objectives in a desired and repeatable manner
- Identify the characteristics of security initiatives, functions, operations and activities to find whether security is an enterprise wide initiative or a function limited to departments such as IT, HR and administration
- Identify the standards and frameworks that the organization follows for its security initiatives. Some of the standards and frameworks are- ISO 27001, CoBIT, COSO, PCI-DSS, etc
- Map security initiatives, functions and measures deployed at respective business initiatives.
- Identify the structure of roles and responsibilities distributed for security along with their organizational hierarchy and reporting. Evaluate how responsibility is distributed and accountability is ensured for key security tasks
- Create an inventory of security functions, roles, activities and operations. Identify how they are grouped and executed
- Evaluate how the different security groups and functions work, how they collaborate and coordinate, how information flows between them and what processes interface them. Identify whether these groups and functions act in silos or in an integrated manner
- Evaluate the characteristics of the security management a. Whether the focus is strategic? How adequate are the strategic efforts? b. How security is managed? How are the defence strategies?
d. How operations are performed?
- Identify how countermeasures are planned, deployed, managed and measured
- Evaluate how risks are assessed, managed, and reported
- Evaluate how an organization responds to failed audits, major or minor vulnerability identification, identified security exploitation or compromise, etc
- Evaluate the manner in which the controls and risks are managed and monitored. Identify how much manual effort is deployed and the level of automation achieved.
- Evaluate how the change management is performed. How security is managed in the organization’s change management processes? How the workflow for change management provides assurance over security?
- Evaluate how security is managed in the life cycle processes of IT asset management and application development.
- Create an inventory of compliance functions, processes, activities and operations and map them to respective compliance requirements and organization’s in-scope assets
18. Identify how compliance requirements and tracked and managed. How are non-conformances and exceptions managed?
- Create an inventory of legal and HR elements with respect to compliance and assurance functions. Map them to individual compliance requirements. The elements can be: contractual clauses, legal liabilities, employment terms and conditions, acceptable usage policies, etc
- Evaluate how security and risks that can arise from third party service provides are managed. How vendors’ or third party service providers’ security initiatives are driven? How assurance over their security is obtained?
- Evaluate how security incidents are managed. How incidents are identified? How they are analysed? How incidents are reported? How they evoke a response in an organization? How are they reported to management?
- Identify the technology solutions deployed for Governance, Risk and Compliance initiatives.
- Evaluate how security related information flows in the organization. For each type of security information, identify the information flow path and different entities and roles having access to such information
- Evaluate how the data about security and risk management is governed. Identify how this data is used for decision making, taking corrective actions, and changing the course of strategic direction
- Evaluate whether the resources and efforts deployed for security are adequate. Assess the adequacy of security resources distributed across strategic, tactical and operational layers
- Evaluate how the organization engages itself in practicing innovation in security management. How the organization enhances its intelligence in different disciplines of security? How does it manage knowledge and collaborate with external and internal agencies for the same?
- Evaluate all GRC initiatives, operations and activities for their simplicity, effectiveness, alignment to businesses, accountability and consistency
- Ensure that there exists a structure for GRC that oversees tasks such as security policy management, compliance management, risk management, vendor or third party risk management and threat and vulnerability management
- Ensure that security and risk management are integrated with enterprise governance processes.
- Ensure that the board of directors and executive management define the responsibilities and practices, provides strategic direction, ensure that objectives are achieved, ascertains that risks are managed effectively, and organizations’ resources are used responsibly
- Ensure that the senior management’s engagement for security is visible across the organization.
- Ensure that security is managed as an enterprise issue.
- Ensure that a framework exists for decision making, establishing accountability and integrity of actions for managing security and risk. Ensure that the management is in a position to direct, control, and strongly influence the entities that are involved in security and risk management to achieve the stated expectations
- Ensure that there exist sufficient instruments to reflect management’s intent and objectives in the practices and culture of the organization. These instruments could be Policy and procedures, Technology solutions, Acceptable use policy, Administrative norms, Disciplinary procedures
- Ensure that security and risk management processes align with business objectives and Line-of-Businesses (LOBs) are involved in the security governance, risk and compliance initiatives
- Ensure that a culture of security is imbibed in an organization’s conducts, beliefs, behaviours, capabilities, and actions
- Ensure that there exists a mechanism which helps translate governance objectives and business considerations into business rules. These rules govern the operations in accordance with high level objectives and strategies and are used to configure devices, tools and solutions
- Ensure that there exists a complete mapping between governance objectives, policy items and configuration elements. This ensures how a specific objective is achieved by one or many operational elements of the organization
- Ensure that there exists a significant provision for configuration of devices, tools and solutions as per the enterprise policies. The configuration capability of devices, tools and solutions should match granular and diverse requirements to support the governance objectives
- Ensure that the policy and configuration management timely addresses the protection requirements and swiftly invokes the corrective response in case of discrepancies or security compromises
- Ensure that there exists a framework for risk management that helps identify, analyse and mitigate risks. Ensure that the framework underlies risk management principles that articulate organizational behaviour with respect to its ability to manage and tolerate risks
- Ensure that the organization adopts right techniques and tools for risk assessment
- Ensure that protection priorities of the organization are proportionate to the risk it is facing.
- Ensure that the results of risk assessment exercises are managed effectively
- Ensure that there exists a structure for compliance management. Typical components
of the compliance structure can be Compliance function, Organization structure, Standards adopted for compliance, Policy and procedures, Control systems, Process and technical design, Mechanisms deployed for compliance processes, Tools and solutions for compliance
- Ensure that there exists a regulatory and compliance intelligence mechanism.
- Ensure that there exists a map of each compliance requirement to the respective control or controls deployed by the organization
- Ensure that the organization has capabilities for continuously monitoring the effectiveness of controls deployed against each compliance requirement
- Ensure that the compliance process provides consistent, well-documented and repeatable results.
- Ensure that there exists a mechanism that takes care of reporting the compliance to the regulatory authorities.
- Establish an audit management function that provides important inputs on the state of security for consumption of different stakeholders in the organization.
- Ensure that the security and risk management processes are integrated with the change management processes of the organization. This is to ensure that security issues, introduced by any change are managed effectively.
- Ensure that security is managed in the life cycle process of the IT assets and applications.
- Ensure that the scope of GRC is extended to the systems and services managed by business partners, vendors, third party service providers and externally provisioned applications and systems.
- Ensure that information governance plays an important role in GRC initiatives. Establish policies for accountability of information, retention and archival of information, and review and destruction of information
- Involvement and commitment of the board of directors and executive management reflects the intent and culture of an organization as well as the adequacy of the assigned resources
- Business alignment of GRC function reflects how well GRC objectives, goals and operations are aligned with the business
- Distribution of responsibility and accountability reflects how the structure for GRC is laid down strategic, tactical and operational layers of an organization.
- Coverage and extent of GRC function reflects whether the GRC function covers all applicable assets and systems, including that of partners, vendors and service providers
- Integration and convergence of GRC function reflects whether the different functions work in an integrated manner, or in silos
- Ability to transform the business objectives and governance goals in operational practices reflects how well the operational elements are aligned to the business objectives and goals
- Adequacy of instruments for policy enforcement and compliance assurance reflects the adequacy and competence of these instruments to enforce high level policies and provide compliance assurance
- Architectural treatment to GRC function reflects whether an individual component of GRC function is derived from a structured design or plan
- Configurability of devices, tools and solutions reflects the ability of these devices to comply with policy objectives and goals
- Strategy and governance context in operational decision making reflects how the context of organization’s policy is built while taking the operational decisions
- Systematization of security and risk management processes reflects the maturity of the processes and their ability to integrate with enterprise governance
- Integration with change and life cycle management reflects how well security and risk management is integrated with an organization’s change and life cycle processes
Please allow pop-up in your internet browser to download DSF
DSCI Security Framework